Detect PowerShell w/o PowerShell Execution via RunDLL32 and various other methods

[JulianDroste]

Description of the Idea of the Rule

I want to propose a rule enabling the detection of PowerShell without using the well-known powershell.exe but rather via rundll32.exe and various other methods. Projects like PowerShx and its predecessor PowerShdll enable this method of PowerShell Execution. Happy to gather feedback from you!

Public References / Example Event Log

• https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
• https://www.ired.team/offensive-security/code-execution/powershell-without-powershell
• https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628

[nasbench]

Hi,

We have 2 rules covering a similar behaviour.

• The first is looking powershell keywrods in conjunction with rundll32 or similar https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml
• The second is looking for the DLL load of System.Management.Automation.Dll (which the core powershell DLL) from non powershell processes https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml

Hope this helps.

[JulianDroste]

Hi @nasbench thanks for the swift feedback - I apparently overlooked those two rules. To my understanding the two rules should cover what I want to detect. Not too sure if the additional resources provided add anything to "enhance" the existing rules, but apart from that I think this issue can be closed :)

[nasbench]

Still haven't delve deep into them, I appreciate you providing them and will definitely look into it to see if I can improve them in any form. I'll leave this open for now just so I can get back to you once I finish checking everything in them.

Thanks once again, really appreciate it the feedback